- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-18-2017 09:01 AM
Hello all,
I have noticed an important difference in PANOS v8.0 in comparison with PANOS 7.x.x concerning the SSL settings for the GlobalProtect portal.
More specific, the famous site for SSL Server tests, Qualys SSL Labs presents PANOS 7.0.x with Grade A-, while for PANOS 8.0.x the grade is lowered to Grade B (worst).
This happends because, while in PANOS 8.0.x there is a wider support of ciphersuites fot TLSv1.2, the additional ciphersuites supported use weak weak Diffie-Hellman (DH) key exchange parameters. More specific, for some cipher suites, the DH key exchange is weak, as 1024-bits are being used.
More specific, for version 7.0.x, the Cipher Suites list is the following:
TLS 1.2 (suites in server-preferred order) | |
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) | 256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) | 128 |
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) | 256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) | 128 |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) | 128 |
while in PANOS 8.0.x the list is the following:
# TLS 1.2 (suites in server-preferred order) | |
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) | 256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) | 128 |
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) | 256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) | 128 |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) | 128 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 (eq. 15360 bits RSA) FS | 256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp521r1 (eq. 15360 bits RSA) FS | 128 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp521r1 (eq. 15360 bits RSA) FS | 256 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp521r1 (eq. 15360 bits RSA) FS | 128 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK | 256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK | 128 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK | 256 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK | 128 |
The big question is how to disable these weak Forward Secrecy (FS) DH Weak key exchange exchange parameters as there is no option to manipulate these settings either from the Web UI or the CLI.
Maybe the new SSL/TLS Service Profile that appears in PANOS 7.1.x should have something for the CipherSuites and the Forward Secrecy (FS) key exchange parameters that need to be enabled/disabled/used (and the order they are being presented to the client's web browser.
Regards,
George G.
05-19-2017 05:45 PM
Hi George,
The SSL/TLS profile hasn't changed in 8.0 either. It's been a carry-forward feature from 7.1.x. And yes, no way to disable/change anything from GUI or CLI (maybe root?). However, imho, this is not a bad option to include in the SSL/TLS profile, kinda similar to what a Decryption profile has.
I'd say you should get in touch with your SE to see if this can be incorporated in some future release.
Regards,
Anurag
05-24-2017 12:59 AM
Yes, I agree with you maybe a Feature Request is not a bad idea.
After all, there are some requirements on disabling weak ciphers etc on PCI and CIS compliance audits that PAN Devices do not give that opportunity.
George
07-27-2020 10:23 AM
Hi,
Im having the same grade because of: This server does not support Forward Secrecy with the reference browsers.
how did you solve it? any idea?
09-03-2021 09:19 AM - edited 09-03-2021 09:20 AM
Run the following commands on in the cli at the edit prompt.
then commit
set shared ssl-tls-service-profile (select your security profile here) protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings auth-algo-sha1 no
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!